Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Both of these comments show a huge misunderstanding of the psychology behind what drives these people to do what they do.

To the first poster... access to these photos will not suppress the desire to make fantasies or act them out in real life, rather they will encourage it. Also remember that these photos had to be made. For every photo made, a child has effectively had their life destroyed.

To the second... I call bullshit. The difference between this and all the groups you listed is that the groups you listed consist of CONSENTING ADULTS. You might as well say that because photographs of people having sex with animals is illegal that in future years, a more enlightened race of humans will embrace the love between a woman and her english sheepdog.

  • 'Both of these comments show a huge misunderstanding of the psychology behind what drives these people to do what they do.'
  • Quite the opposite actually, they seem to understand the situation far better than you do. Lets take the next bit.

  • 'access to these photos will not suppress the desire to make fantasies or act them out in real life, rather they will encourage it.'
  • Incorrect. There are a number of peer reviewed research papers that demonstrate the opposite of this (see Milton Diamond), there is also no causation or correlation between viewing and doing. I think you should start looking at real research, instead of self congratulatory bunk created by childrens charities and dedicated task forces who live off the money generated by mis information.

  • 'For every photo made, a child has effectively had their life destroyed.'
  • Totally incorrect. The VAST majority of pictures are neither porn, nor abusive. The TINY minority of pictures that would actually class as 'life destroying', are neither welcomed widely by viewers, nor requested outside of very small groups. I don't blame you for not knowing that, the information that provides the proof has been completely censored from view, using the laws you support, with ACTUAL life destroying consequences for those that see it and are subsequently prosecuted. If you want to really know whats going on, i suggest you find the document released on wikileaks by Mr X, that gives a far more accurate view of the so called 'CP Industry'. What you're doing here, is spreading emotive propaganda. The same stuff that the people who use CP as an excuse to censor the internet spread, because it's very hard to argue against the protection of children, of which prosecution of possession does nothing for. Which is why anyone with censorship as a goal uses it.

  • 'The difference between this and all the groups you listed is that the groups you listed consist of CONSENTING ADULTS.'
  • Maybe they are seen as that now, but in the period he was referencing, they are a perfect analogy. At the time same sex relationships were as illegal as underage relationships are now, and just as viciously persecuted. They may have been adults, but they couldn't consent to sex for that purpose (at the time both morally and legally). Just because it's legal now, and we all have a new 'enlightened' view on it, does not change the past. If the age of consent was lowered to 10 tommorrow, it would no longer be illegal, simple as that (it's been that low before, it may be that again one day, who knows). But hey, your views are in the majority, and the majority has never been wrong about sexuality before, or gender, or race...

    [disclaimer] I don't believe in the legalisation of production, but based on the misinformation thats continually spread, and used as an excuse to shut down avenues of free speech, it should NEVER be illegal to possess information. As this posted has demonstrated, misinformation is easy to maintain, when the evidence is concealed. It also helps to protect the producers far more when possession is criminalised, which in turn helps harm those children who have actually been abused to make the images, far more.

    Without a large group of obese balding men in their late 40's to 50's, there would be no market for CP. Since there is however, and these men desire such images, it creates a demand which some fathers, uncles, etc. are all too eager to provide. No child wants to grow up and look back thinking, "thanks daddy for putting images of me out there sucking on your wang when I was 4 years old". The argument it doesn't harm children is laughable.

    Simplistic stereotyping, and appeals to emotion don't alter the fact that by making it illegal to posess images, you cover up the evidence, ironically making it safer for those 'uncles' to publish. You also make it far easier for goverments to make blocklists that censor other speech that you don't disagree with, using CP as the excuse.

    By going after the thousands and thousands of viewers, rather than concentrating resources on producers, you inadvertently cause more harm than you prevent. Essentially by supporting the criminalisation of possession, you support the actual physical abuse of someone.

    The argument that its better to arrest someone looking at pictures, rather than those making them, is the real joke. One that the hardcore producers no doubt rely on to continue producing, whilst the jails are filled with low hanging fruit and people that are far less dangerous.

    Your arguments have been around for many years, and over those years we have seen lots of peoples lives destroyed so that people like you can be smug about the 'balding 40-50yr obese men"(false stereotype) that have been put away. Way to miss the point. The demand for images will always be there, people will always make them. You wont even make a dent on those numbers, especially trying to take out all the viewers. The most you can say for those tactics, are that it really fills the jobs out for the cops that do it, gives the charities and politicians some nice prole feed to get away with their money grabbing. There is a multi billion dollar child porn industry out there, trouble is, it's being run by the 'good guys', and they use the ignorance of people like you to fund their comfortable lives.

    If you're a member of that industry, then ignore what I just said, you're a lost cause anyway and don't give two shits about actual children. Just the money they generate with the current witch hunts. If however you really do give a shit, and your livelyhood doesn't rely on destroying 'pedos' lives for extra funding and covering up evidence from public view, i suggest you read these articles.

    http://falkvinge.net/2012/09/07/three-reasons-child-porn-must-be-re-leg…

    http://falkvinge.net/2012/09/11/child-porn-laws-arent-as-bad-as-you-thi…

    They may not change your mind at all, you may be fully convinced that a zero tolerance approach is working and that when all child porn is gone (not going to ever happen) and all abuse has been stopped, the world will suddenly be 100% safe, because there are no abusers left in the world, all thanks to the child porn witch hunt. I wonder what they'll move onto next, perhaps they'll go after gays again.

    "Essentially by supporting the criminalisation of possession, you support the actual physical abuse of someone." - Sounds like you're taking too many hits of the bong buddy.

    khled.8@hotmai.com

    August 05, 2013

    Permalink

    Perhaps someone with more technical skills than myself could construct an onion page that would allow Tor users to see if their particular setup was vulnerable to the exploit.

    khled.8@hotmai.com

    August 05, 2013

    Permalink

    I'm sorry if I sound stupid but if I clicked the big blue S next to the onion at the top mean if I visited a FH website I will be safe

    khled.8@hotmai.com

    August 05, 2013

    Permalink

    So is it true that NoScript DOES NOT block JavaScipt source code inside iFrames, even when activated plus JavaScript deactivated in browser settings?

    Seems that this attack won't effect most users. You must be on windows, have slightly out-of-date TBB, and disable browsing through tor after visiting an effected site. I'm not convinced that it will fail to phone-home after the cookie expires, but it doesn't matter much since not many people would use their Tor Browser for anything other than browsing through Tor.

    Kinda stupid that they didn't spread a piece of malware through the exploit. It was completely capable of it and would have been a much more effective assuming they took the time to avoid being identified by all those useless AV programs.

    No you don't have to deactivate browsing through TOR to be affected. It is a JavaScript SECURITY EXPLOIT BYPASSING TOR, which phones home with YOUR REAL IP ADDRESS. No malware needed. Just a slightly old version of the Tor Browser Bundle.
    It fired your ip address right at them and they got you. Why would they need malware for this?

    You don't need to "disable browsing through tor after visiting an effected site" for the exploit to work. If you visit an infected site with javascript enabled in a vulnerable browser on windows, then your IP and MAC address are logged on a government server more or less immediately.

    Still, there are far fewer affected than previously assumed.

    I actually remember "NoScript" notifications in hindsight, not quite mentally registering what they were. Since the PC was slow anyway at the time (which is sometimes the case recently), I thought it was some standard notification about a crashed plugin. Now I only hope it didn't really crash at the time, because that might mean something got through afterwards. Or would NoScript not be able to crash in that way?

    Should I just call them and ask if they're on to me? Do they have something like the Amazon Support Chat?

    Yes, but make sure you have your social security number ready, along with a list of any illegal websites you have visited. This should speed up the process.

    I don't want to go to jail :(
    https://twitter.com/vlad902/status/364475870930419712
    HEELP!! What should I do now?? I'm not a pedo, just average deep-web user.

    Perhaps if you go to jail, others will realise this crusade has nothing to do with pedos, and everything to do with shutting down one of the last places they can't fully control information wise. When you get there, you can tell the other residents you're not a pedo, don't worry they'll believe you.

    Collateral damage in a war without end.

    It's not about controlling information, it's about purging images of children being sexually abused. Most people would give up a slice of control and an ounce of privacy for the sake of removing sexual abuse images. The whining of pedos is so annoying.

    Troll.

    The first thing that people need to do in response to this incident is to CALM DOWN. Be vigilant, think things through, but don't go overboard.

    As an IT professional, I can tell you that there's no such thing as "foolproof defenses" Given enough time and money, anything can be overcome. In 332 BC Alexander the Great demanded the surrender of the city of Tyre. Since the walled city was a small island off the coast of Phoenicia, they refused. Over the next six months, Alexander's army (and a large group of involuntary laboreres) built a causeway to the island wide and strong enough to support siege towers that battered the walls down.

    There are three basic concepts to information security (INFOSEC): vulnerability, threat, and control. These three concepts can be used to describe any situation.

    -Vulnerability is like an unlocked door-- a weakness that can be exploited.

    -Threat is the potential to do harm. In most cases, this is from people. Threats can be internal or external to the TOR network.

    -Control is the action (or technology) that prevents a threat from exploiting a vulnerability.

    For example, imagine a room full of valuables. The *threat* is that someone outside of the room with enter and steal something from it. The *control* is the locked door. The threat (a thief) cannot get past the door and is stopped. However, if the room has a window(s), a *vulnerability* that bypasses the strong door, then the threat may gain entry through that other path.

    In short, threats are blocked by control of the vulnerabilities. Whenever examining a security issue, begin by identifying the vulnerability, the threat (who might attack this way), and the control (how the attack will be thwarted).

    "Distrust and caution are the parents of security" ~~Benjamin Franklin

    The first thing that people need to do in response to this incident is to CALM DOWN. Be vigilant, think things through, but don't go overboard.

    As an IT professional, I can tell you that there's no such thing as "foolproof defenses" Given enough time and money, anything can be overcome. In 332 BC Alexander the Great demanded the surrender of the city of Tyre. Since the walled city was a small island off the coast of Phoenicia, they refused. Over the next six months, Alexander's army (and a large group of involuntary laborers) built a causeway to the island wide and strong enough to support siege towers that battered the walls down.

    There are three basic concepts to information security (INFOSEC): vulnerability, threat, and control. These three concepts can be used to describe any situation.

    -Vulnerability is like an unlocked door-- a weakness that can be exploited.

    -Threat is the potential to do harm. In most cases, this is from people. Threats can be internal or external to the TOR network.

    -Control is the action (or technology) that prevents a threat from exploiting a vulnerability.

    For example, imagine a room full of valuables. The *threat* is that someone outside of the room will enter and steal something from it. The *control* is the locked door. The threat (a thief) cannot get past the door and is stopped. However, if the room has a window(s...lol), a *vulnerability* that bypasses the strong door, then the threat may gain entry through that other path.

    In short, threats are blocked by control of the vulnerabilities. Whenever examining a security issue, begin by identifying the vulnerability, the threat (who might attack this way), and the control (how the attack will be thwarted).

    "Distrust and caution are the parents of security" ~~Benjamin Franklin

    The just needed a reason to gain access to tor to mess the tranquility up. They couldn't care less about porr little children. They wan to tregulate bitcoin and drugs. It's time to fortify Tor and have mirrors.

    There are 4 Information Security goals (INFOSEC) - [being shared for the benefit of the community, mainly directed towards directors/owners of hidden services on deepweb. Most of this should be common sense to sysadmins and operators]:

    1. Confidentiality---The protected item must be accessible only by authorized people or applications. Clearly define the people and technologies that have authorized access.

    a. Examples of confidentiality:
    -Protection of information in the system from unauthorized disclosure.
    -In some cases is may be advisable to protect even the existence of a data file.
    -Systems should be accessible only by authorized parties.
    -Prevent downloading of confidential data. If download is necessary, ensure only properly authorized users can do so.

    b. Confidentiality controls
    -Limit the users who can read from files and access programs that can read files. This can be done with operating system security, internal database security, etc.
    -Ensure all data backups and reports are properly safeguarded and shredded when no longer needed.

    2. Integrity---Protect from accidental or intentional unauthorized changes. An accidental change that erases critical data is just as damaging as an intentional act.

    a. Examples of integrity:
    -Protection of systems from intentional or accidental unauthorized changes.
    -Assets that can be modified only by authorized parties (as more systems move into the cloud, this is an even greater concern)
    b. Establishing integrity control:
    -Encrypt communications through virtual private networks.
    -Store regular data backups securely offsite.
    -Separate duties between developers and system implementers.
    -Rotate duties.

    3. Availability---Assets are accessible to authorized users when needed.

    a. Examples of problems with availability:
    -Denial of service
    -Loss of data processing capabilities as a result of natural or man-made disasters.
    -Fires, floods, storms, earthquakes and law enforcement make facilities unavailable.
    b. Establishing availability control
    -Create an alternate data center in a separate location (set up automatic conditional failover [you can script it] in the event that the primary is compromised).
    -Maintain mirrored databases.
    -Segment network into virtual networks.

    4. Authenticity---assurance that user is who they say they are.

    a. Example of authenticity assurance:
    -User ID/password.
    b. Establishing authenticity control:
    -Require strong passwords, change frequently.
    -Biometric identification.
    -Authentication tokens (incl. OTP generators)

    Remember, it is not possible to protect everything forever and there is no such thing as a 100 percent foolproof defense. A determined opponent with unlimited time and resources can crack whatever defenses have been built. The trick is to outlast the attacker until they give up and go after a weaker target (hint: setup dummy systems)

    What process does it use to send the data ? I have a firewall app that blocks all unknown processes requests.

    From what i understood, it goes thru the browser itself, your firewall would've allowed it thru.

    What process does it use to send the IP ? My software firewall blocks all unknown apps from accessing the internet.

    Should we expect a raid if we are not in the USA ? I doubt a single click on the link could provoke this.

    If this is a part of global operation definitely - yes but later. If this is USA operation, then raids will come up within days, to keep digital evidence and avoid suspect to wipe hard drives and flash sticks. Of course it depens of court and state jurisdiction. So as mentioned before, better wipe your drives and just be ready to contact your lawyer.

    Glad I don't use any of the FH based sites, haven't been on Tormail any time lately and use NoScript religiously. But does anyone have any suggestions for communicating or leaving contact details on SR since presumably everyone will be avoiding Tormail?

    Jews did this.

    khled.8@hotmai.com

    August 06, 2013

    In reply to by Anonymous (not verified)

    Permalink

    WTF?! IMO they should go after the trolls and haters instead.

    P.S. Wow, procrastinating over checking Email turns out to be A Good Thing!

    so i'm a bit confused, i've used for the past maybe 2 weeks or a month the 2.3.25-10 release of the tbb

    Presumed javascript was turned off for some reason but it appears not however fingers crossed i've nae visited any affected sites

    But reports are that it affects ff17? so even if javascript was turned on if you're using the above version would it still work? or is that exploit only for folk using older versions of the tbb/ff?

    it's times like this i don't think i'm bright enough to be digging around in the onionworld lol

    Freenet removes Javascript by default but Tor does not?
    https://freenetproject.org/news.html#2013-tor-bust

    I am new to TBB. I visited a freedom hosting site two days ago and it showed me a " down for maintenance " message. My TBB firefox version is 10.0.05 ESR and I had javascript DISABLED. Is it probable that my identity has been compromised? I use windows NT.

    It's a shame that my TBB is not the latest because everytime I clicked the check for updates button, it showed me that the browser was up to date. Didn't occur to me to manually check the TOR website.

    One more thing: is there anyway I can know I have been compromised?

    Isnt your home page https://check.torproject.org/ which shows there is an update available? Also there is an exclamation icon over the tor button.

    You are not shown these or you missed them?

    I had set my home page to something else. And no, I am not shown all those signs of an outdated TBB.
    But I had JS disabled. So am I safe?

    10.0.05 is bad news but a disabled JS is good news. You're covered.

    he he derp derp I are retarded lawlz derp he derp I is idiot.

    Has someone tested the exploit to see if it works ?

    i was last time on tormail back in march... i didnt use any fh stuff since then... so everything should be fine ?

    I have a software firewall that blocks unknown executables by default. Could it have blocked the malware ?

    The payload which calls some network related WindowsAPI has not been executed by an "unknown executable". The payload was injected directly into the process space of FF, so nope nothing should have been blocked by an application level firewall which allows FF to access the net.

    Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization

    http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

    Since the government isn't above hacking peoples systems, it seems like they would not be above planting evidence while they are at it. The exploit loads dynamic code so they could use it to download and save illegal images to random locations around the users hard drive without the victim's knowledge. Only people with IP addresses on their hitlist would receive their "special" payload and that way the security researchers might not stumble on it. That would let them get rid of troublesome dissidents.

    You should propose two versions of the TBB, one for those who need strict and real protection, and another one for the morons who need to watch cats on Youtube.

    So having JS disabled would have stopped the exploit. Would torbutton have done the same on older FF/Vidalia bundles?

    ok guys, straight up: Am I safe if I had Javascript disabled while browsing on TOR regardless of my TBB version? I guess many users have the same question.

    Here's what I think happened (correct me if I am wrong - after all I am a noob) :

    The malicious code was triggered on outdated versions of TBB which had JS enabled when the user visited an FH Site. This code then opened up firefox and phoned back home.

    Am I right? or did the code manage all this through TBB without opening up firefox externally?

    Given the funding sources of TOR Project which include the likes of
    U.S. government (60%) and Google, I'm not sure why anyone in their right mind would even support let alone put their trust in TOR by using TBB? The fact that it is open source makes no difference as not only will there always be non-tech people using it, but it sets the stage for breeches from many different directions as we've seen here. Please go ahead and correct my thinking. These guys seem really dedicated in providing tools for us to "Protect [our] privacy. Defend [ourselves] against network surveillance and traffic analysis" and I should be greatful for their efforts. But how easy was it for this little slip to occur albeit from the part of the user? How perfect would this be from the perspective of an Orwellian state seeking entity? It seems trust is being broken down on every level these days, deliberately or not. There's a big pot of unrest brewing in the world.

    OK, now I am a real noob. And I only have a single question:

    If JavaScript was globally disabled in my browser and NoScript was activated - does that mean that the JavaScript-exploit could not even begin to do the job it was supposed to?

    Thank you.

    A lot of unknowns at this time, but it appears you neede to have three things for the exploit to compromise you:

    1 Windows
    2. Vulnerable browser (v 17-17.07 etc). Looks like they might have targeted browsers below 17, but no has the shellcode for content_1, so maybe it wasn't implemented. Hidden wiki person thinks it is only v17 that is targeted.
    3. JS enabled. This is the killer. They could perhaps just see who has this enabled, that that is that. Is this the first version that had JS enabled by default? If so, it makes sense that they would specifically target this version, more so than earlier version that theoretically had it the other way around.

    It would seem that if JS was disabled when you went to "infected" sites, you "should" be OK. I really don't know.

    Surfing Safe always involved no JS and no cookies. Guess that got forgotten along the way.